How do I disable the built-in Smart Card support in macOS Sierra?

I'm seeing a lot of inconsistency in the funtion of the built-in smart card support in Sierra. I've been looking for a way to disable it to test some of the tokend solutions available, but there doesn't appear to be any way to disable it. Is anyone aware of a way to disable or override the build in smart card software?

Up vote post of J.Thomas Down vote post of J.Thomas
9.1k views
Posted by
J.Thomas
Reply
Add a Comment

Accepted Reply

I found the answer in the man page for SmartCardServices-legacy :


DISABLING NEW SMART CARD SUPPORT

It is possible to turn of the new tokens by setting the global preference:


sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array

com.apple.CryptoTokenKit.pivtoken


After writing that plist, all tokend solutions appear to work, some better than others.

Posted by
J.Thomas
Up vote reply of J.Thomas Down vote reply of J.Thomas
Post marked as solved
Add a Comment

Replies

I found the answer in the man page for SmartCardServices-legacy :


DISABLING NEW SMART CARD SUPPORT

It is possible to turn of the new tokens by setting the global preference:


sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array

com.apple.CryptoTokenKit.pivtoken


After writing that plist, all tokend solutions appear to work, some better than others.

Posted by
J.Thomas
Up vote reply of J.Thomas Down vote reply of J.Thomas
Post marked as solved
Add a Comment
I had disabled the native SC drivers to allow me to test some third party middleware. After uninstalling that, I am unable to re-enable the native pivtoken drivers.

I run %security smartcards token -l
it returns "com.apple.CryptoTokenKit.pivtoken"

I have tried to run %security smartcards token -e com.apple.CrtpyoTokenKit.pivtoken
and receive Permission Denied!

I have also run sudo defaults write /Library/PReferences/com.apple.security.smartcard EnableTokens -array com.apple.CryptoTokenKit.pivtoken

I am prompted for the admin pw, it appears to run without issue.

However pivtoken still shows as disabled in both the System Report and when I run the -l command again.

Any help identifying what I may be missing would be appreciated.


Posted by
TimClyde
Up vote reply of TimClyde Down vote reply of TimClyde
Add a Comment